By Data Movement
Data movement is the first hard constraint. It does not decide the PET alone, but it rules out many bad ideas quickly.
Decision Matrix
| Data movement pattern | Use this when... | Candidate PETs | Avoid this when... | Hidden cost |
|---|---|---|---|---|
| Raw data centralizes | One party is allowed to process data and can be held accountable | Centralized processing, DP, minimization, access controls | The central operator is not trusted or cannot legally receive the data | Concentrated breach and misuse risk |
| Raw data stays at each party | Participants can compute locally and send protected artifacts | FL, federated analytics, secure aggregation, MPC, PSI | Participants cannot run reliable infrastructure or agree on protocols | Coordination, versioning, identity, and dropouts |
| Data enters a controlled environment | Data can move only into a governed or confidential boundary | Clean rooms, TEEs, confidential computing | The platform operator is in the adversary model and hardware trust is unacceptable | Policy, attestation, logging, and procurement |
| Only encrypted inputs move | The service must not see plaintext inputs | HE, MPC, PSI | The workload is broad, interactive, or latency-sensitive without benchmarking | Cost, limited operators, complex debugging |
| Model updates move | Training data remains local but gradients, weights, or metrics leave | FL, secure aggregation, DP, robust aggregation | You cannot tolerate update leakage or poisoning risk | Updates are still sensitive artifacts |
| Data-like artifacts leave | External users need something shaped like data | Synthetic data, DP synthetic data | Users need high-fidelity rare cases or individual-level truth | Memorization testing and utility validation |
Raw Data Can Centralize
Centralization can be the right answer. Do not choose a complex PET only to avoid saying that governance is the real problem.
Use centralization when:
- one accountable operator is acceptable;
- access control, minimization, retention limits, and audit logs are enforceable;
- the workload needs high fidelity, low latency, or operational simplicity;
- the privacy claim is about controlled processing, not cryptographic separation.
Add differential privacy when the released output must limit the contribution of one person, account, device, or organization. DP is an output guarantee; it does not make sloppy data handling safe.
Raw Data Cannot Move
| Need | Better starting point | What can break |
|---|---|---|
| Train a shared model | Cross-silo FL | Update leakage, poisoning, non-IID data, weak local operations |
| Compute aggregate metrics | Federated analytics or MPC | Small-cell leakage, collusion, expensive protocols |
| Find common records | PSI | The intersection may itself be sensitive |
| Serve inference | HE or TEE confidential inference | HE latency, TEE trust assumptions, output leakage |
| Release data-like artifacts | DP synthetic data | Memorization, weak utility, misunderstood residual risk |
The phrase "data cannot move" is underspecified. Ask whether records, features, labels, identifiers, gradients, embeddings, prompts, logs, or outputs can move. Many failures happen because teams protect one artifact and leak another.
Data Moves To A Controlled Environment
Clean rooms and TEEs are useful when data can move only into a governed or confidential environment.
Use this when:
- the main need is controlled collaboration, auditability, or policy enforcement;
- the computation is too broad for HE or MPC;
- the parties accept a platform, hardware, or operator trust assumption;
- outputs can be reviewed before release.
Avoid this when:
- the platform operator is explicitly untrusted;
- participants cannot verify code, policy, logs, or attestation;
- the output will reveal the sensitive fact anyway;
- the team is using "clean room" as a vague procurement label.
Data Moves As Updates
Federated systems move gradients, model deltas, sketches, or metrics. Treat these as sensitive unless there is evidence otherwise.
Use supporting PETs based on the leakage:
| Leakage concern | Add | Caveat |
|---|---|---|
| Coordinator should not inspect individual updates | Secure aggregation | Makes debugging and poisoning detection harder |
| Individual participation should be bounded | Differential privacy | Utility may drop and accounting must be maintained |
| Clients may send malicious updates | Robust aggregation, validation, anomaly detection | Harder when updates are hidden |
| Sites may be small or unique | Minimum round sizes, grouping, DP | Small cohorts can defeat aggregate privacy intuition |
Worked Example: Cross-Bank Fraud Signals
Two banks cannot share raw transactions. They first think "federated learning," but the immediate business question is whether accounts appearing at both banks are associated with known mule patterns.
Better path:
- Use PSI to identify permitted overlap or MPC if the fraud score requires joint features.
- Apply thresholds and output review so tiny match sets are not exposed.
- Consider FL only after there is a stable shared modeling task.
The recommendation changes if the banks need a continuously trained model rather than a specific joint computation.
Checklist
- What exact artifact is forbidden to move?
- Who sees intermediate values?
- Who sees the final output?
- Can parties collude?
- Are there minimum cohort sizes?
- Does the chosen PET protect inputs, outputs, both, or neither?
- What is the cheapest evidence that would disprove the design?